[ale] Garbage spewer, part II

tewkewl at mindspring.com tewkewl at mindspring.com
Fri Jun 22 08:44:50 EDT 2001 

Let me see if I have this straight.


ISP -----> serial connection -----> your router ----->your switch

or is it just that you have a couple of servers that are 
colocated at your isp?

You are on a test box with it's nic in promiscuous mode,
and you are actually seeing conversation between internet hosts
and a totally different web server?  And does the test box have two nics?  If not, how are you putting the nic in promiscuous mode?  Are you local to the machine? (If the nic is truely in promiscuous mode you wouldn't be able to bind an ip stack to it.)  Are you just running tcpdump or iptraf?  Does the box have X on it?  Can you run ethereal and take a 5-10 minute trace?  If so you can email it to me and I will look at it.

You should not see ANY traffic to other hosts other than broadcasts if you are on a switch. (without actually manipulating the switch to mirror ports)

Is your nic on autonegotiate?  If so, see what it negotiated to...If it's not full duplex, you stand a great chance of being on a hub.

Just some things to check.

-Patrick

djinn at djinnspace.com wrote:
> Thanks to everyone for the help and advice regarding my sudden
transition into a bandwidth hog.

Here's part II:  I spent about 8 hours doing forensics and  as far as
I can tell, the machine has not been cracked.  No unauthorized ports
listening, no replaced binaries, chkrootkit came up empty.   So I put
the machine back on the network and watched for awhile....behaved like a
good little linux box.  THEN I started sending mail again.   Suddenly,
5000ms ping time.  Whenever I send out large quantites of mail, I fill
up our alloted bandwidth and can't wedge a packet in to save my life.
The machine in question is on the same subnet as my office firewall, so
during the day we generate a reasonable amount of outbound (mostly http)
traffic, and nothing like this happens.  It appears to only hate smtp
packets (honestly, I don't blame it).

I put tcpdump and iptraf on the mail machine, and just looking at the
outbound traffic from that nic, all appears normal--I am only sending
out the types and quantites of packets I expect to see, when I'm sending
mail and when I'm not.  I don't quite understand how to read iptraf
information, am working on that now...but didn't see anything
immediately alarming.

Here's the interesting part--if I put the nic in promiscuous mode, I can
see all sorts of traffic bound for machines that I shouldn't be able to
see.  For example, our ISP swears that our production machines are on
their own switched subnet and not sharing traffic with anyone.  Which
makes me curious as to why I can see packets from a foreign host,
inbound to the production web server, from my test web server sitting
way far away on another subnet.  I was under the impression that tcpdump
and iptraf can't get past a switched segment...is this true?  Anyone
know?  Am I using the right terminology or do I sound like an idiot??

So, if any network gurus out there would like to offer an opinion on
what to do from here, and how I can track down the problem, I would be
much appreciative.  I know it's the ISP's problem, but I don't think
they're going to be any help, and now that the scare is over this is
getting interesting.  Pointers to good references on this sort of thing
would also be appreciated.

Thanks again

Cheers
jenn

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list